Security Research
Competitive audit contests, fuzzing harnesses, and formal verification. No accepted findings on the board yet, but every engagement below ships with runnable PoCs, invariant suites, and specs, all public. The scoreboard will catch up.
Chainlink Payment Abstraction V2
Code4rena · Competitive Audit · $65,000 USDC pool
March 2026
1,060 nSLOC across 13 contracts
A permissionless Dutch auction system converting protocol fee tokens into LINK, with CowSwap (GPv2) settlement integration. I ran a full multi-layer review: threat modeling and trust-boundary mapping, static analysis triage, property-based and stateful fuzzing, formal verification specs, and manual review of the auction curve, rounding direction, and privileged-role escalation paths.
- 8 Foundry invariant tests + 48 Medusa stateful assertion tests over the auction curve and settlement flows
- Certora specs for BaseAuction, GPV2CompatibleAuction, and PriceManager
- Triaged 50 Slither findings; consolidated report covering CowSwap dust-fill vectors, price-staleness edge cases, and role centralization risks
Kuru Labs On-chain CLOB
Cantina · Competitive Audit
2026
Full contracts directory: order book, margin account, router, forwarder
A fully on-chain central limit order book with backstop AMM liquidity: bitmap-tree price discovery, price-time priority matching over linked lists, and a margin account handling all maker credits. I dug into the order-matching math, flip-order rounding accumulation, the meta-transaction forwarder's non-sequential nonce scheme, and market-parameter misconfiguration as a DoS surface.
- Deep-dive on TreeMath bitmap price tree and O(n) linked-list matching for ordering and rounding faults
- Analyzed KuruForwarder EIP-712 flows: replay surface of timestamp-as-nonce cancel requests
- Built deploy + benchmark harnesses to measure storage-orderbook gas behavior under fragmented fills
Also hardening contracts professionally: test suites, fuzz coverage, and security reviews at AttenomicsLabs & Qoneqt.